Network traffic inspection

ABSTRACT

Techniques for inspecting network traffic are disclosed. An application executing as an operating system extension that uses a virtual private network (VPN) stack of the operating system intercepts an Internet protocol (IP) packet for delivery to a remote computer system. A determination is made of an action to take in response to intercepting the packet. The determined action is taken.

CROSS REFERENCE TO OTHER APPLICATIONS

This application is a continuation of co-pending U.S. patent applicationSer. No. 16/189,964, entitled NETWORK TRAFFIC INSPECTION filed Nov. 13,2018, which is a continuation of co-pending U.S. patent application Ser.No. 15/727,488 entitled NETWORK TRAFFIC INSPECTION filed Oct. 6, 2017,both of which are incorporated herein by reference for all purposes.

BACKGROUND

Network traffic inspection has been a long-term technical challenge,with increased difficulty as technology evolves and more devices withheterogeneous operating systems are added to the system. Applications ofnetwork traffic inspection range from network traffic measurements andbandwidth control to monitoring and security applications, such asintrusion or threat prevention detection.

In an example, a user receives an email or a text as part of a phishingattack. The email or text includes a link to a phishing website that isdesigned as a clone of a well-known website. When the user clicks on thelink, the phishing website is displayed on his computer, and the user istricked into believing that the phishing website is the well-knownwebsite. The user is prompted to enter his login ID and his password,and he enters this sensitive information, which is then captured by thephishing website. The criminals that operate the phishing website areable to exploit this sensitive information by using it to log in to thewell-known website.

One application of network traffic inspection is related to security. Ifthe network traffic of the user's access of the phishing website couldbe inspected by a security application, the security application coulddetect that the user is accessing a suspicious website, and could flagthe access as a potential security threat.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is an illustration of a networking environment, consistent withvarious embodiments.

FIG. 2 is an illustration of a first network traffic inspectionenvironment, consistent with various embodiments.

FIG. 3A is an illustration of a second network traffic inspectionenvironment, consistent with various embodiments.

FIG. 3B is a block diagram illustrating networking components of anoperating system running at a computer at the second network trafficinspection environment, consistent with various embodiments.

FIG. 4 is an illustration of a method for inspecting network traffic,consistent with various embodiments.

FIGS. 5 and 6 are illustrations of security-related messages beingdisplayed on mobile devices, consistent with various embodiments.

FIGS. 7A-E are illustrations of various security threats, consistentwith various embodiments.

FIG. 8 is a system block diagram illustrating a processing device inwhich at least some operations described herein can be implemented,consistent with various embodiments.

DETAILED DESCRIPTION

Introduced here is a technique for monitoring network communications.Some techniques for monitoring network communications suffer somedeficiencies. For example, some security applications are installed withenhanced privileges to enable the security application to access networktraffic, such as by use of privileged commands or resources. Because thesecurity application is installed with enhanced privileges, securityholes in the security application can be exploited by attackers to gainaccess to privileged commands, resources, etc., thereby enabling apossibly major security breach. Other security applications areinstalled as a standard application where a user needs to launch thesecurity application after each reboot or power-on of the computersystem on which the security application is installed. When a userneglects to launch the security application, the computer system is notprotected by the security application, once again enabling a possiblymajor security breach.

Yet other security applications rely on remote servers for analyzingnetwork communications. In an example, a user installs a securityapplication that directs monitored network communications to a remoteserver, where the network communications are analyzed to determine ifthey indicate a security threat. Such a technique suffers variousdeficiencies, for example: adding significant latency to data access,resulting in, e.g., degraded performance when web browsing; increasingcommunication network usage, resulting in increased data charges for acellular carrier; or increasing the power consumption of the computersystem, resulting in a shorter battery life when the computer system isa battery powered device, such as a smart phone.

Various embodiments of the techniques disclosed herein are able to avoidsome or all of the above mentioned deficiencies. In an example, ratherthan being installed with elevated privileges to enable access tonetwork traffic, a security application is installed as an operatingsystem extension and utilizes a network extension service of theoperating system. Examples of operating systems include Mac OS, iOS,Android, Windows, Linux, Chrome OS, HP-UX, SCO Unix, Solaris, BSD, andFreeBSD. By using a network extension service, such as a virtual privatenetwork (VPN) stack of the operating system, the security application isable to access network traffic while executing in, e.g., anon-privileged sandboxed process controlled by the operating system.Executing in a non-privileged sandboxed process enhances security bypreventing the security application from being able to access certainsensitive resources, such as protected system resources or resourcesattributed to other applications. When a security application isexecuting in a sandboxed process, an attacker that exploits a securityhole of the security application is prevented from accessing thesesensitive resources, resulting in improved security.

Further, because the security application of this example is installedas an operating system extension, the security application isinitialized each time that the operating system is initialized, such aswhen the computer system is rebooted or powered on. At each reboot orpower on, the operating system is initialized and, at a certain pointduring initialization, begins to initialize operating system extensions,which include the security application. As a result, a user does notneed to remember to launch the security application. The securityapplication, due to being an operating system extension, is launchedeach time the operating system is initialized.

In an example where a security application utilizes the VPN stack, thesecurity application intercepts network traffic by conceptually creatinga VPN tunnel that starts and ends at the computer system. A typical VPNtunnel provides protected communication between two computer systems,where data sent via the VPN tunnel is encrypted while traveling betweenthe two computer systems. In this example, rather than creating a trueVPN tunnel between two computer systems, the security applicationutilizes the VPN stack to intercept network traffic before the networktraffic is transmitted to a communication network or to any othercomputer. By utilizing the VPN stack, or other network extensionservice, the security application is able to locally analyze the networktraffic to determine if the traffic indicates a potential securitythreat. This local analysis advantageously results in reduced dataaccess latency and lower communication network usage as compared to asystem that sends network traffic to a remote system for analysis. Whena potential security threat is indicated, the security application canprevent the network traffic from being transmitted to a communicationnetwork and being delivered to the destination computer system.

In some cases, the local computer system may not be capable ofadequately analyzing a portion of the network traffic, or analyzing someor all of the network traffic locally may not be desirable for somereason. In such a case, the security application can send the portion ofthe network traffic to be analyzed to a remote server for analysis. Forexample, the security application can create a VPN tunnel between thelocal computer system and the remote server, and can securely send theportion of the network traffic to the remote server for analysis. In afirst scenario, the security application waits for the remote server tocomplete its analysis of the network traffic that was sent to the remoteserver by the computer system before transmitting the network traffic toa communication network for delivery to the destination computer system.When the remote server determines that the network traffic indicates apotential security threat, the remote server notifies the securityapplication and the security application prevents the network trafficfrom being transmitted to a communication network and being delivered tothe destination computer system. When the remote server determines thatthe network traffic does not indicate a potential security threat, thesecurity application transmits the network traffic to the communicationnetwork where it is delivered to the destination computer system.

In a second scenario, the security application sends the network trafficto the remote server for analysis, but does not wait for the remoteserver to complete its analysis before transmitting the network trafficto a communication network for delivery to the destination computersystem, resulting in reduced latency of data access. If the remoteserver determines that the network traffic indicates a potentialsecurity threat, the remote server notifies the security application andthe security application prevents any additional network trafficdestined for the destination computer system from being delivered. Whenthe remote server is able to make the determination in a timely fashion,communication with the destination computer system can be stopped beforethe potential security threat materializes into an actual securitybreach of the local computer system.

In some embodiments, a person makes a determination whether the networktraffic indicates a potential security threat. In an example, the localcomputer system is being used by a child. When the child accessesunauthorized network data, such as by accessing a website that does notappear in a whitelisted list of websites, the security applicationintercepts the network traffic and notifies the parent that the child isaccessing an un-authorized website, such as by sending a message to theparent's smart phone that causes a notification that indicates thepotential security threat to be displayed by the smart phone. Thesecurity application prevents the network traffic from being sent to thedestination computer system until a response is received from theparent's smart phone. If the smart phone sends a message to the securityapplication that indicates that the parent authorizes the access, thesecurity application adds the website to the whitelisted list ofwebsites, and transmits the network traffic to the communication networkfor delivery to the destination computer system, enabling the child toaccess the web site. If the parent denies the access, the securityapplication adds the website to a blacklisted list of websites, andprevents the network traffic from being transmitted to the communicationnetwork, resulting in the child being prevented from accessing thewebsite.

The embodiments set forth below represent the necessary information toenable those skilled in the art to practice the embodiments, andillustrate the best mode of practicing the embodiments. Upon reading thefollowing description in light of the accompanying figures, thoseskilled in the art will understand the concepts of the disclosure andwill recognize applications of these concepts that are not particularlyaddressed here. It should be understood that these concepts andapplications fall within the scope of the disclosure and theaccompanying claims.

The purpose of terminology used herein is only for describingembodiments and is not intended to limit the scope of the disclosure.Where context permits, words using the singular or plural form may alsoinclude the plural or singular form, respectively.

As used herein, unless specifically stated otherwise, terms such as“processing,” “computing,” “calculating,” “determining,” “displaying,”“generating,” or the like, refer to actions and processes of a computeror similar electronic computing device that manipulates and transformsdata represented as physical (electronic) quantities within thecomputer's memory or registers into other data similarly represented asphysical quantities within the computer's memory, registers, or othersuch storage medium, transmission, or display devices.

As used herein, terms such as “connected,” “coupled,” or the like, referto any connection or coupling, either direct or indirect, between two ormore elements. The coupling or connection between the elements can bephysical, logical, or a combination thereof. References in thisdescription to “an embodiment,” “one embodiment,” or the like, mean thatthe particular feature, function, structure, or characteristic beingdescribed is included in at least one embodiment of the presentdisclosure. Occurrences of such phrases in this specification do notnecessarily all refer to the same embodiment. On the other hand, theembodiments referred to also are not necessarily mutually exclusive.

As used herein, terms such as “cause” and variations thereof refer toeither direct causation or indirect causation. For example, a computersystem can “cause” an action by sending a message to a second computersystem that commands, requests, or prompts the second computer system toperform the action. Any number of intermediary devices may examineand/or relay the message during this process. In this regard, a devicecan “cause” an action even though it may not be known to the devicewhether the action will ultimately be executed.

Note that in this description, any references to sending or transmittinga message, signal, etc. to another device (recipient device) mean thatthe message is sent with the intention that its information contentultimately be delivered to the recipient device; hence, such referencesdo not mean that the message must be sent directly to the recipientdevice. That is, unless stated otherwise, there can be one or moreintermediary entities that receive and forward the message/signal,either “as is” or in modified form, prior to its delivery to therecipient device. This clarification also applies to any referencesherein to receiving a message/signal from another device; i.e., directpoint-to-point communication is not required unless stated otherwiseherein.

As used herein, unless specifically stated otherwise, the term “or” canencompass all possible combinations, except where infeasible. Forexample, if it is stated that data can include A or B, then, unlessspecifically stated otherwise or infeasible, the data can include A, orB, or A and B. As a second example, if it is stated that data caninclude A, B, or C, then, unless specifically stated otherwise orinfeasible, the data can include A, or B, or C, or A and B, or A and C,or B and C, or A and B and C.

FIG. 1 is an illustration of a networking environment, consistent withvarious embodiments. Network environment 100 includes three networksthat are each protected by a firewall: business network 110, firstnetwork 140, and second network 170. Each of the three networks includesa communication network that enables data communication betweencomputing devices that are members of the network. For example, businessnetwork 110 includes communication network 115, which includes aplurality of devices (e.g., device 125A, device 125N, etc., referred tocollectively as “devices 125”), which enables devices 125 to communicatewith each other, with firewall 120, etc. First network 140 includescommunication network 145, which includes a plurality of devices (e.g.,device 155A, device 155N, etc., referred to collectively as “devices155”), which enables devices 155 to communicate with each other, withfirewall 150, etc. Second network 170 includes communication network175, which includes a plurality of devices (e.g., device 185A, device185N, etc., referred to collectively as “devices 185”) which enablesdevices 185 to communicate with each other, with firewall 180, etc.

The firewall of each of the three networks acts as a barrier to protectthe network by keeping unauthorized network traffic out of the network.For example, firewall 120 protects business network 110, firewall 150protects first network 140, and firewall 180 protects second network170. Public communication network 105 is a public network, such as theInternet or any other public network. Public communication network 105,which includes a plurality of devices (e.g., device 130A, device 130N,etc., referred to collectively as “devices 130”), enables devices 130,firewall 120, firewall 150, firewall 180, etc. to all communicate witheach other.

Communication networks 115, 145, and 175, and public communicationnetwork 105 can be any type of network that enables data communicationbetween computers. In various embodiments, one or more of communicationnetworks 115, 145, and 175, and public communication network 105 are orinclude any of a local area network (LAN), a wide area network (WAN), avirtual private network (VPN), a private network, a public network, acellular network, a short-range wireless network, a wireless local areanetwork (WLAN), etc. The cellular network can be any of various types,such as code division multiple access (CDMA), time division multipleaccess (TDMA), global system for mobile communications (GSM), long termevolution (LTE), 2G, 3G, 4G, etc. The short-range wireless network,which is used for short-range wireless communications, can also be anyof various types, such as Bluetooth, Bluetooth low energy (BLE), nearfield communication (NFC), etc. The WLAN can similarly be any of varioustypes, such as the various types of IEEE 802.11 networks, among others.Public communication network 105 can be any type of public communicationnetwork, such as the Internet.

Devices 125, 130, 155, and 185 can be any type of computing device, suchas a desktop computer, a laptop computer, a file server, a networkattached storage (NAS) device, a mobile device, or a server, amongothers. Examples of mobile devices include smart phones, tablets,portable media devices, wearable devices, laptops, and other portablecomputers. In some embodiments, first network 140 represents a cloudstorage or cloud compute provider, and second network 170 represents ahome network.

FIG. 2 is an illustration of a first network traffic inspectionenvironment, consistent with various embodiments. In the example of FIG.2, smartphone 205 can be device 185A of FIG. 1, computer 215 can bedevice 125A, Internet 225 can be public communication network 105, andsecurity application 220 can be executing on computer 215, or anothercomputer. Many other configurations are possible, and this is just onepossible configuration. In the example of FIG. 2, a user utilizes a webbrowser of smartphone 205 to access a website. The user inputs a UniformResource Locator (URL), and, when the host section of the URL is not anInternet Protocol (IP) address, the host section of the URL istranslated to an IP address by use of a Domain Name Service (DNS). TheIP address in this example happens to be the IP address of destinationcomputer 230. Smartphone 205 creates and sends one or more IP packetsvia a cellular network to initiate the website access. An IP packet canbe an Internet Protocol Version 4 (IPv4) packet, or an Internet ProtocolVersion 6 (IPv6) packet, among others. Smartphone 205 sends the IPpackets for delivery to destination computer 230, which hosts thewebsite. The IP packets, which include the IP address associated withthe URL, are intercepted by communication channel 210, which is a VPNtunnel between smartphone 205 and computer 215. The IP packetsintercepted by communication channel 210 are sent to computer 215 foranalysis by a security application, which can be executing on computer215 or another computer.

As the IP packets are sent between smartphone 205 and computer 215, datacharges from the cellular service provider are incurred. Computer 215sends the IP packets to the security application. The securityapplication determines that the IP packets do not indicate a securitythreat, and computer 215 forwards the packets for delivery todestination computer 230 via Internet 225. Destination computer 230sends the requested website data to computer 215 via Internet 225, andcomputer 215 forwards the website data to smart phone 205 by use ofcommunication channel 210. The user of smart phone 205 is annoyed due tothe slow response to his website data request. He is further annoyedwhen he receives his bill from his cellular provider, and sees how muchin data charges he has incurred.

FIG. 3A is an illustration of a second network traffic inspectionenvironment, consistent with various embodiments. In the example of FIG.3A, smartphone 305 can be device 185A of FIG. 1 and is running operatingsystem 350 of FIG. 3B, computer 320 can be device 125A, Internet 325 canbe public communication network 105, and security application 315 isexecuting at smartphone 305. Many other configurations are possible, andthis is just one possible configuration. In the example of FIGS. 3A and3B, a user utilizes a web browser of smartphone 305 to access a website.The user inputs a URL, and the URL is translated to an IP address, whichcorresponds to destination computer 330, by smartphone 305, in someembodiments with the assistance of operating system 350. Smartphone 305creates and sends one or more IP packets to initiate the website access,and sends the IP packets for delivery to destination computer 330, whichhosts the website. However, the IP packets are intercepted bycommunication extension 310, which in this example is an extension ofoperating system 350, namely, network extension 355, before the IPpackets are transmitted to a communication network. Communicationextension 310 is implemented by use of a network extension service ofthe operating system. In this example, network extension 355 utilizes aVPN stack of the operating system, namely, VPN stack 360, in order tointercept network traffic before the traffic is transmitted to acommunication network.

For IP packets that are analyzed by security application 315,advantageously no data charges are incurred from the cellular serviceprovider as a result of analysis because the IP packets are analyzed bysecurity application 315 before the data is transmitted to acommunication network. In some cases, security application 315 whenrunning on smartphone 305 may not be able to adequately analyze all IPpackets, or it may be otherwise undesirable to analyze some or all ofthe IP packets locally. In those cases, security application 315 cansend the packets to be further analyzed to computer 320, which may be acloud computer, for analysis. When security application 315 determinesthat the IP packets indicate a security threat, security application 315prevents the IP packets from being transmitted to a communicationnetwork, such as Internet 325. Security application 315 causes a messageto be displayed on smartphone 305, such as message 605 of FIG. 6. Whensecurity application 315 determines that the IP packets do not indicatea security threat, security application 315 allows the IP packets to betransmitted to a communication network for delivery to destinationcomputer 330.

FIG. 4 is an illustration of a method for inspecting network traffic,consistent with various embodiments. In the example of FIG. 4, mobiledevice 405 can be device 185A of FIG. 1, infrastructure computer 410 canbe device 125A, server 415 can be device 125N, and destination computer420 can be device 155A. Many other configurations are possible, and thisis just one possible configuration. A user has a friend who had hisidentity stolen, and who has been spending a lot of time trying torecover from this criminal act. After some exploration, the user hasdiscovered that there are many ways that a user's online security can bejeopardized. During his investigation, he came across a number ofexamples of security threats, such as phishing, spear-phishing,smishing, infiltration and exfiltration from botnets, as well as theexamples illustrated in FIGS. 7A-7E. The user decides to download asecurity application. He uses his mobile device to navigate to an onlineapplication store, where he initiates the download and install of thesecurity application. While the user of this example is using a mobiledevice, the user can be using any type of computing device. At block468, server 415 sends a download package for the security application tothe user's mobile device, mobile device 405, where at block 425, mobiledevice 405 receives the download package for the security application.

At block 428, mobile device 405 installs the security application as anoperating system extension, and at block 430, the mobile deviceinitializes/launches the security application. An operating systemextension is software that extends the operating system's functionality,and that is initiated/launched at startup time (e.g., at power on,reboot, etc. of the device) by the operating system. Typicalapplications are not installed as operating system extensions. As aresult, a user needs to remember to initialize/launch such applications.Further, a typical application may not be able to access certainsensitive resources, unless installed with elevated privileges. Toenable access to certain resources, some applications are installed withelevated privileges, with a resulting increase in the potential severityof damage that can result from an attack that takes advantage of anysecurity hole in the application.

When a software program, also referred to as an application, isinstalled as an operating system extension, the operating system canexecute the software program in a sandboxed process, which is arestricted operating system environment where access to resources can becontrolled by the operating system. Sandboxing is a security techniquethat isolates programs, preventing malicious or malfunctioning programs,such as a program that has suffered a security breach from an attackthat takes advantage of a security hole of the program, from accessing,damaging, or snooping on protected resources of a user's computer.

After the security application is installed and initialized, the userselects and launches an application, and the selected applicationgenerates some network traffic. The selected application can be anyapplication that generates network traffic, such as a web browser or anyother application that communicates with other computers via a network.At block 433, the selected application sends an IP packet for deliveryto destination computer 420. In some embodiments, the selectedapplication sends the IP packet for delivery to destination computer 420when the selected application sends a message that prompts generation ofthe IP packet and that indicates to deliver the IP packet to destinationcomputer 420. For example, the selected application can send the IPpacket for delivery to destination computer 420 by sending a messagethat includes a URL of a webpage that is hosted by destination computer420, or by sending any other message that prompts generation of the IPpacket and that indicates to deliver the IP packet to destinationcomputer 420.

At block 438, the security application, represented by securityapplication 435 in FIG. 4 (which indicates the blocksexecuted/caused/triggered/etc. by security application 435 in theexample of FIG. 4 by enclosing the blocks), intercepts the IP packet. Insome embodiments, the security application utilizes functionalityavailable via a network extension service of the operating system tointercept or monitor network traffic. In some embodiments, a networkextension service is a framework that contains application programinterfaces (APIs) that can be used to customize and extend the corenetworking features of the operating system. In an example, the networkextension service utilizes functionality available via a VPN stack ofthe operating system to enable interception or monitoring of networktraffic. In another example, the network extension service is the VPNstack of the operating system. A networking extension service can be,for example, network extension 355 of FIG. 3B, and a VPN stack can beVPN stack 360.

The IP packet can be intercepted by the security application in any ofvarious ways. In a first example where the selected application sendsthe IP packet by sending a message that includes a URL that indicatesdestination computer 420, the security application intercepts the IPpacket by intercepting a message that includes the URL (block 438). In asecond example where the selected application sends the IP packet bysending a message that includes a URL that indicates destinationcomputer 420, the operating system, in combination with othercommunications/networking functionality of mobile device 405, maps theURL to the IP address of destination computer 420 and generates an IPpacket for delivery to destination computer 420. Before the IP packet istransmitted to a communication network, such as a cellular network, theIP packet is intercepted by the security application (block 438).

At block 440, the security application determines whether the IP packetcan be analyzed locally, such as to determine if the IP packet indicatesa security threat. Analyzing the IP packet locally can have severaladvantages, such as reduced network traffic due to not sending the IPpacket to a remote device, increased privacy and reduced latency due tonot sending the IP packet to a remote device for analysis, increasedrobustness due to not sending the IP packet to a remote server that maybe susceptible to, e.g., a denial of service attack, or for otherreasons. The determination as to whether to analyze the IP packetlocally can be based on any of various factors. For example, thedetermination can be based on the processing power of the local device,the memory storage capacity of the local device, the data or otherresources available to the local device, the amount of power thatperforming the analysis locally would consume, the current utilizationof the local device, etc. When the security application determines toanalyze the IP packet locally (block 443), the security applicationdetermines whether the IP packet indicates a threat (448) based on ananalysis of the IP packet performed locally. When the securityapplication determines to analyze the IP packet remotely (block 443),the security application determines whether the IP packet indicates athreat (448) based on an analysis of the IP packet transmitted(445)/performed remotely upon receipt (463/465). The determination bythe security application as to whether the IP packet indicates a threat(448) can in turn be based on a determination by a remote computer,e.g., infrastructure computer 410 in the example of FIG. 4, that thepacket indicates a threat (block 465), and may also additionally bebased on analysis performed by the local device (e.g., mobile device405).

The determination whether an IP packet indicates a threat (block448/465) can be based on any of various analyses. In some embodiments,an analysis of an IP packet includes an analysis of other IP packetsthat are associated with the IP packet. In yet other embodiments, ananalysis of an IP packet includes an analysis of other data that isassociated with the IP packet, such as an email message, a short messagesystem (SMS) message, a domain name, etc., among others. In some cases,the IP address or domain name indicating the destination of the IPpacket is compared against a blacklist of IP addresses or domain names,where the blacklisted IP addresses and domain names indicate a securitythreat, or against a whitelist of IP addresses or domain names, wherethe whitelisted IP addresses and domain names do not indicate a securitythreat. For example, a user may be fooled by the phishing message ofFIG. 7A, and may click on CHANGE PASSWORD in response to the phishingmessage. When the user clicks on CHANGE PASSWORD, mobile device 405attempts to communicate with a phishing website and sends an IP packetfor delivery to the phishing website (block 433). The securityapplication intercepts the IP packet (block 438), and, depending onblock 443, mobile device 405 or infrastructure computer 410 determinesthat an IP address indicated by the IP packet appears in a blacklist ofIP addresses, and determines that the IP packet indicates a threat(block 448/465).

In other cases, an email message that includes a website link that auser clicks on is analyzed as part of analyzing the IP packet. Forexample, a user may receive the email message of FIG. 7B or of FIG. 7D.The user, being fooled by the email message, which may be a phishingemail, clicks on a website link contained within the message. Inresponse, mobile device 405 attempts to communicate with the websitethat is associated with the website link and sends an IP packet fordelivery to the website (block 433). The security application interceptsthe IP packet (block 438), detects that the IP packet was sent inassociation with clicking on the website link in the email message, and,depending on block 443, mobile device 405 or infrastructure computer 410analyzes the email message as part of analyzing the IP packet. For theemail of FIG. 7B, the analysis includes analyzing the email address ofthe sender, express@ssl1-airnb.com, which appears in the message of FIG.7B. For the email of FIG. 7C, the analysis includes analyzing the domainname of the website, update-apple.uk, which appears in the message ofFIG. 7C. For the email of FIG. 7D, the analysis includes analyzing thedomain name of the website, which, while it is not visible in the email,is accessible via the message of FIG. 7D, such as via a URL included inthe message of FIG. 7D and accessible via the website link.

The domain names of these examples raise suspicion in, e.g., at leasttwo ways. First is that the domain name associated with the emailaddress (ssl1-airnb.com) or the URL (update-apple.uk) is each similar toa well-known domain name (airbnb.com or apple.com), and second is thatthe ssl1-airnb.com domain name includes a potentially misleadingcharacter, in that the hyphen between ssl1 and airnb can be interpretedby a user to indicate a subdomain (e.g., to indicate that ssl1 is asubdomain of airnb, as ssl1.airnb would properly indicate that ssl1 wasa subdomain of airnb). For the email of FIG. 7D, the analysis includesanalyzing the email, which indicates that the email includes a link to aGoogle doc, and includes analyzing the website link (activated byclicking on “Open in Docs”). The website link raises a suspicion becauseit is not a link to a Google doc, nor even to a valid Google website.Based on these suspicions, mobile device 405 or infrastructure computer410 determines that the IP packet indicates a threat (block 448/465). Insome cases, the domain name may appear in a list of whitelisted orblacklisted domain names.

In yet other cases, an SMS message that includes a website link that auser clicks on is analyzed as part of analyzing the IP packet. Forexample, a user may receive the SMS message of FIG. 7E. The user, beingfooled by the SMS message, clicks on https://icloud.com/FindMyiPhone/,which is a website link contained in the message. The user is fooled inthat he does not recognize that the “i” in icloud is not an “i,” butrather is the international character “i” (i-circumflex, a letter in,e.g., the Friulian, Kurdish, and Romanian alphabets). This is especiallyhard to detect on a smartphone, where displayed characters are quitesmall. In response, mobile device 405 attempts to communicate with thewebsite that is associated with the website link and sends an IP packetfor delivery to the website (block 433). The security applicationintercepts the IP packet (block 438), detects that the IP packet wassent in association with clicking on the website link in the SMSmessage, and, depending on block 443, mobile device 405 orinfrastructure computer 410 analyzes the URL of the website link, andmay also analyze the SMS message, as part of analyzing the IP packet.

The URL raises a suspicion in, e.g., two ways. First is that the domainname associated with the email address (icloud.com) is similar to awell-known domain name (e.g., icloud.com), and second is that the domainname includes a potentially misleading character, in that the domainname includes an international character that is similar to an Englishcharacter. Based on these suspicions, mobile device 405 orinfrastructure computer 410 determines that the IP packet indicates athreat (block 448/465).

In some cases, a user's pattern of behavior is analyzed as part ofanalyzing the IP packet. For example, network traffic generated by auser when the user is browsing various websites, running variousapplications that communicate with remote computers, etc., can beanalyzed to determine if the pattern of behavior exhibits anomalous orotherwise suspicious behavior. Examples of suspicious behavior include,for example, sending login ID or password information to an unknownwebsite, accessing a new website that is not related to any previouslyvisited websites, accessing multiple blacklisted websites over a periodof time, attempting and failing to log in to a previously visitedwebsite multiple times, etc. The analysis can be performed by use of amachine learning algorithm, among others, and can be based on a historicpattern of usage as indicated by historic intercepted network traffic.

In yet other cases, analysis of an IP packet can include analysis by ahuman being of the IP packet or of any other data associated with the IPpacket. For example, a child may access a website by clicking on a URLvia mobile device 405, and mobile device 405 may send an IP packet fordelivery to the host of the website (block 433). The securityapplication intercepts the IP packet (block 438), and, depending onblock 443, mobile device 405 or infrastructure computer 410 analyzes theURL as part of analyzing the IP packet and detects that the IP packetwas sent to a previously unvisited website. A determination is made thatthe child has not visited the website associated with this URL, and theURL is sent to the mobile device of the child's parent or an adult whois supervising the child for review and approval. A determination ismade whether the IP packet indicates a threat (block 448/465) based onthe response received from the parent or adult supervisor.

In some cases, analysis of an IP packet can include analysis by a policyengine that decides what to do with the packet, such as letting thepacket pass through, blocking the packet, modifying the packet, orreplacing the packet with a different packet, among others. The policyengine can be part of a privilege-less virtual network interface (PVNI)of an operating system, which can use the policy engine to control flowof network traffic. The analysis of the IP packet can include, forexample, the following steps: setup of a PVNI by starting a PVNIprivileged daemon, which bridges the data flow that goes from the policyengine(s) to the kernel. Creation of a virtual network interface, e.g.,vir0, as well as a routing table policy is performed, so that alltraffic coming and going to the target application(s) goes through vir0.As a form of example, in an example Linux system, the PVNI privilegeddaemon runs as root, and the virtual network interface is represented asutun0, and there is only one instance of this daemon. Finally, the PVNIpolicy engine daemon is started, which enables use of a user-modeprocess to inspect the network traffic.

When a determination is made that an IP packet does not indicate athreat (block 450), the security application sends the IP packet (block453) to destination computer 420, where the packet is received (block470). Destination computer 420 responds by sending the requested data(block 473) to mobile device 405, where the data is received (block 455)and forwarded to the application that requested the data.

When a determination is made that an IP packet does indicate a threat(block 450), the security application prevents the IP packet from beingtransmitted (block 458) and displays a message (block 460) on mobiledevice 405, such as any of the messages displayed on mobile devices 605,610, or 615 of FIG. 6. In some embodiments, the message displayed (block460) indicates that a potential security threat was detected and thedata access is blocked. In some embodiments, the security application,rather than preventing the IP packet from being transmitted, modifiesthe IP packet before transmission. For example, the IP packet can bemodified to remove sensitive data, such as a login ID, a password, etc.

In some cases, the determination as to whether an IP packet indicates athreat (block 448/465) may take enough time that the user's perceptionof the performance of accessing remote data may be negatively impacted.For example, a determination made by a remote computer, such asinfrastructure computer 410, made based on input from a human being,etc., may take enough time that a user would be unhappy with theperformance. In some embodiments, rather than waiting for adetermination to be made as to whether an initial IP packet indicates athreat (block 448/465), the initial IP packet is transmitted to anetwork for delivery to destination computer 420. Subsequent related IPpackets, also sent for delivery to the destination computer (block 433)before a determination is made as to whether the initial IP packetindicates a threat, are similarly transmitted to the network fordelivery to destination computer 420. Once a determination is madewhether the initial IP packet indicates a threat (block 448/465), and ifthe determination is that the initial IP packet does indicate a threat(block 450), subsequently sent IP packets are prevented from beingtransmitted to the network for delivery to destination computer 420(block 458), and subsequently received data from destination computer420 is discarded without being forwarded to the requesting application.

In some embodiments, rather than determining if an IP packet indicates athreat and preventing the IP packet from being transmitted, the securityapplication can determine if an IP packet indicates data that isparticularly sensitive from a security standpoint, such as datatransmitted via a banking application to a bank server (e.g., thebanking application executing at mobile device 405 and the bank serverbeing destination computer 420), can create a VPN tunnel from mobiledevice 405 to destination computer 420, and can securely send the datafrom mobile device 405 to destination computer 420. This can protectagainst, for example, a rogue WiFi network intercepting data sentbetween mobile device 405 and destination computer 420.

In some embodiments, rather than determining if an IP packet indicates athreat and preventing the IP packet from being transmitted, the securityapplication can monitor the IP packet to determine application usage.For example, the security application can determine which applicationsexecuting at mobile device 405 are most commonly used by a user. Thisapplication usage data or statistics can be delivered to people orentities that are interested in the usage data, such as makers ofapplications, advertising companies, etc.

In some embodiments, rather than determining whether an IP packetindicates a threat, the technique disclosed herein can be used: todetect and prevent trackers, such as SDK-based mobile tracking software,an example being a “hot-mic” SDK; collection of usage statistics basedon network traffic patterns, such as detection and measurement of whichapplications are being used and for how long; detection and measurementof in-app purchases generated by applications; detection and measurementof ad impressions and ad networks used by applications; detection ofecosystem components (e.g., APL SDKs, Ad Network SDKs, Monetization andGrowth SDKs, etc.), such as those used by a particular application;tracking bandwidth usage of a shared data plan, such as for personalversus corporate usage; establishing bandwidth limits on non-corporateapplications on corporate devices; parental control technology forparents to track, control, or limit their children's use of applicationsor web browsers on a device; to implement a real-time reputation scoringsystem on a device, such as: SSL certificate reputation, inspect X509certificates in real-time, and provide a reputation score in order toprevent access to fake or ill reputed sites; ASN/IP reputation, inspectconnections to IP address ranges in real-time and provide a reputationscore for the destination IP in order to prevent unauthorized access toC&C servers of known malware, spyware, and ransomware; domainreputation, inspect DNS requests in real-time and provide a reputationscore for the domain in order to prevent unauthorized access to C&Cservers of known malware, spyware and ransomware; applicationreputation, by inspecting some or all DNS, IP, and SSL communications,our system can detect application usage by fingerprinting resources ofthe application, and leveraging this unique potential, our system canthen provide a reputation score in real-time for the application that isactive.

FIG. 8 is a high-level block diagram illustrating an example of aprocessing system in which at least some operations described herein canbe implemented, consistent with various embodiments. The processingsystem can be processing device 800, which represents a system that canrun any of the methods/algorithms described above. For example,processing device 800 can be any of devices 125A-N, 130A-N, 155A-N, or185A-N, firewalls 120, 150, or 180, mobile device 405, infrastructurecomputer 410, server 415, or destination computer 420, among others. Asystem may include two or more processing devices such as represented inFIG. 8, which may be coupled to each other via a network or multiplenetworks. A network can be referred to as a communication network.

In the illustrated embodiment, the processing device 800 includes one ormore processors 802, memory 804, a communication device 806, and one ormore input/output (I/O) devices 808, all coupled to each other throughan interconnect 810. The interconnect 810 may be or include one or moreconductive traces, buses, point-to-point connections, controllers,adapters, and/or other conventional connection devices. Each of theprocessors 802 may be, or include, for example, one or moregeneral-purpose programmable microprocessors or microprocessor cores,microcontrollers, application specific integrated circuits (ASICs),programmable gate arrays, or the like, or a combination of such devices.The processor(s) 802 control the overall operation of the processingdevice 800. Memory 804 may be or include one or more physical storagedevices, which may be in the form of random access memory (RAM),read-only memory (ROM) (which may be erasable and programmable), flashmemory, miniature hard disk drive, or other suitable type of storagedevice, or a combination of such devices. Memory 804 may store data andinstructions that configure the processor(s) 802 to execute operationsin accordance with the techniques described above. The communicationdevice 806 may be or include, for example, an Ethernet adapter, cablemodem, Wi-Fi adapter, cellular transceiver, Bluetooth transceiver, orthe like, or a combination thereof. Depending on the specific nature andpurpose of the processing device 800, the I/O devices 808 can includedevices such as a display (which may be a touch screen display), audiospeaker, keyboard, mouse or other pointing device, microphone, camera,etc.

While processes or blocks are presented in a given order, alternativeembodiments may perform routines having steps, or employ systems havingblocks, in a different order, and some processes or blocks may bedeleted, moved, added, subdivided, combined, and/or modified to providealternative or sub-combinations, or may be replicated (e.g., performedmultiple times). Each of these processes or blocks may be implemented ina variety of different ways. In addition, while processes or blocks areat times shown as being performed in series, these processes or blocksmay instead be performed in parallel, or may be performed at differenttimes. When a process or step is “based on” a value or a computation,the process or step should be interpreted as based at least on thatvalue or that computation.

Software or firmware to implement the techniques introduced here may bestored on a machine-readable storage medium and may be executed by oneor more general-purpose or special-purpose programmable microprocessors.A “machine-readable medium,” as the term is used herein, includes anymechanism that can store information in a form accessible by a machine(a machine may be, for example, a computer, network device, cellularphone, personal digital assistant (PDA), manufacturing tool, any devicewith one or more processors, etc.). For example, a machine-accessiblemedium includes recordable/non-recordable media (e.g., read-only memory(ROM); random access memory (RAM); magnetic disk storage media; opticalstorage media; flash memory devices; etc.), etc.

Note that any and all of the embodiments described above can be combinedwith each other, except to the extent that it may be stated otherwiseabove or to the extent that any such embodiments might be mutuallyexclusive in function and/or structure.

Although the present invention has been described with reference tospecific exemplary embodiments, it will be recognized that the inventionis not limited to the embodiments described, but can be practiced withmodification and alteration within the spirit and scope of the appendedclaims. Accordingly, the specification and drawings are to be regardedin an illustrative sense rather than a restrictive sense.

Physical and functional components (e.g., devices, engines, modules, anddata repositories, etc.) associated with processing device 800 can beimplemented as circuitry, firmware, software, other executableinstructions, or any combination thereof. For example, the functionalcomponents can be implemented in the form of special-purpose circuitry,in the form of one or more appropriately programmed processors, a singleboard chip, a field programmable gate array, a general-purpose computingdevice configured by executable instructions, a virtual machineconfigured by executable instructions, a cloud computing environmentconfigured by executable instructions, or any combination thereof. Forexample, the functional components described can be implemented asinstructions on a tangible storage memory capable of being executed by aprocessor or other integrated circuit chip. The tangible storage memorycan be computer readable data storage. The tangible storage memory maybe volatile or non-volatile memory. In some embodiments, the volatilememory may be considered “non-transitory” in the sense that it is not atransitory signal. Memory space and storages described in the figurescan be implemented with the tangible storage memory as well, includingvolatile or non-volatile memory.

Each of the functional components may operate individually andindependently of other functional components. Some or all of thefunctional components may be executed on the same host device or onseparate devices. The separate devices can be coupled through one ormore communication channels (e.g., wireless or wired channel) tocoordinate their operations. Some or all of the functional componentsmay be combined as one component. A single functional component may bedivided into sub-components, each sub-component performing a separatemethod step or method steps of the single component.

In some embodiments, at least some of the functional components shareaccess to a memory space. For example, one functional component mayaccess data accessed by or transformed by another functional component.The functional components may be considered “coupled” to one another ifthey share a physical connection or a virtual connection, directly orindirectly, allowing data accessed or modified by one functionalcomponent to be accessed in another functional component. In someembodiments, at least some of the functional components can be upgradedor modified remotely (e.g., by reconfiguring executable instructionsthat implement a portion of the functional components). Other arrays,systems, and devices described above may include additional, fewer, ordifferent functional components for various applications.

Aspects of the disclosed embodiments may be described in terms ofalgorithms and symbolic representations of operations on data bitsstored in memory. These algorithmic descriptions and symbolicrepresentations generally include a sequence of operations leading to adesired result. The operations require physical manipulations ofphysical quantities. Usually, though not necessarily, these quantitiestake the form of electric or magnetic signals that are capable of beingstored, transferred, combined, compared, and otherwise manipulated.Customarily, and for convenience, these signals are referred to as bits,values, elements, symbols, characters, terms, numbers, or the like.These and similar terms are associated with physical quantities and aremerely convenient labels applied to these quantities.

While embodiments have been described in the context of fullyfunctioning computers, those skilled in the art will appreciate that thevarious embodiments are capable of being distributed as a programproduct in a variety of forms and that the disclosure applies equally,regardless of the particular type of machine or computer-readable mediaused to actually affect the embodiments.

The invention claimed is:
 1. A method, comprising: executing anapplication on a mobile device, wherein the application was previouslyinstalled as an operating system extension that uses a virtual privatenetwork (VPN) stack of the operating system to create a VPN tunnel thatstarts and ends on the mobile device to intercept Internet Protocol (IP)packets for delivery to a remote computer system, wherein the operatingsystem extension extends the operating system's functionality, andwherein the operating system extension is initiated by the operatingsystem; intercepting, by the application, a first IP packet in the VPNtunnel, using the VPN stack; determining an action to take in responseto intercepting the first IP packet, wherein the determination is basedat least in part on analyzing the packet; and taking the determinedaction.
 2. The method of claim 1 wherein determining the action to takeincludes detecting a tracker.
 3. The method of claim 2 wherein thetracker comprises SDK-based mobile tracking software.
 4. The method ofclaim 1 wherein taking the determined action includes preventingtracking.
 5. The method of claim 1 wherein determining the action totake includes collecting usage statistics.
 6. The method of claim 5wherein the usage statistics are collected based on network trafficpatterns.
 7. The method of claim 6 wherein the usage statistics includestatistics on one or more applications used.
 8. The method of claim 7wherein the usage statistics include statistics on how long the one ormore applications are used.
 9. The method of claim 1 wherein determiningthe action to take includes detecting an in-app purchase generated by anapplication.
 10. The method of claim 1 wherein determining the action totake includes detecting an ad impression associated with an application.11. The method of claim 1 wherein determining the action to takeincludes detecting an ad network used by an application.
 12. The methodof claim 1 wherein determining the action to take includes detecting asoftware development kit used by an application.
 13. The method of claim1 wherein determining the action to take includes tracking bandwidthusage.
 14. The method of claim 13 wherein the bandwidth is associatedwith a shared data plan.
 15. The method of claim 13 wherein taking thedetermined action includes limiting usage of an application.
 16. Themethod of claim 1 wherein determining the action to take includesdetermining a reputation score for a site.
 17. The method of claim 16wherein determining the action to take includes evaluating an SSLcertificate reputation.
 18. The method of claim 16 wherein determiningthe action to take includes evaluating an X.509 certificate.
 19. Themethod of claim 16 wherein determining the action to take includesevaluating an IP address reputation.
 20. The method of claim 16 whereindetermining the action to take includes inspecting a DNS request andproviding a reputation score for a domain.
 21. A system comprising: aprocessor configured to: execute an application on a mobile device,wherein the application was previously installed as an operating systemextension that uses a virtual private network (VPN) stack of theoperating system to create a VPN tunnel that starts and ends on themobile device to intercept Internet Protocol (IP) packets for deliveryto a remote computer system, wherein the operating system extensionextends the operating system's functionality, and wherein the operatingsystem extension is initiated by the operating system; intercept, by theapplication, a first IP packet in the VPN tunnel, using the VPN stack;determine an action to take in response to intercepting the first IPpacket, wherein the determination is based at least in part on analyzingthe packet; and taking the determined action; and a memory coupled tothe processor and configured to provide the processor with instructions.22. The system of claim 21 wherein determining the action to takeincludes detecting a tracker.
 23. The system of claim 22 wherein thetracker comprises SDK-based mobile tracking software.
 24. The system ofclaim 21 wherein taking the determined action includes preventingtracking.
 25. The system of claim 21 wherein determining the action totake includes collecting usage statistics.
 26. The system of claim 25wherein the usage statistics are collected based on network trafficpatterns.
 27. The system of claim 26 wherein the usage statisticsinclude statistics on one or more applications used.
 28. The system ofclaim 27 wherein the usage statistics include statistics on how long theone or more applications are used.
 29. The system of claim 21 whereindetermining the action to take includes detecting an in-app purchasegenerated by an application.
 30. The system of claim 21 whereindetermining the action to take includes detecting an ad impressionassociated with an application.
 31. The system of claim 21 whereindetermining the action to take includes detecting an ad network used byan application.
 32. The system of claim 21 wherein determining theaction to take includes detecting a software development kit used by anapplication.
 33. The system of claim 21 wherein determining the actionto take includes tracking bandwidth usage.
 34. The system of claim 33wherein the bandwidth is associated with a shared data plan.
 35. Thesystem of claim 33 wherein taking the determined action includeslimiting usage of an application.
 36. The system of claim 21 whereindetermining the action to take includes determining a reputation scorefor a site.
 37. The system of claim 36 wherein determining the action totake includes evaluating an SSL certificate reputation.
 38. The systemof claim 36 wherein determining the action to take includes evaluatingan X.509 certificate.
 39. The system of claim 36 wherein determining theaction to take includes evaluating an IP address reputation.
 40. Thesystem of claim 36 wherein determining the action to take includesinspecting a DNS request and providing a reputation score for a domain.